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Abstract — We show that duals of certain low-density parity- 
check (LDPC) codes, when used in a standard coset coding 
scheme, provide strong secrecy over the binary erasure wiretap 
channel (BEWC). This result hinges on a stopping set analysis of 
ensembles of LDPC codes with block length n and girth > 2k, 
for some k > 2. We show that if the minimum left degree of 
the ensemble is Imin, the expected probability of block error is 
0{ p, . 1-/21 -fc ) when the erasure probabiUty e < e^, where tcf 
depends on the degree distribution of the ensemble. As long as 
Imin > 2 and k > 2, the dual of this LDPC code provides strong 
secrecy over a BEWC of erasure probability greater than 1 — ecf • 



I. Introduction 

The information-theoretic limits of secure communications 
over public channels were first investigated by Shannon |Tj; 
given a message M and its corresponding cryptogram X" of 
length n, a message is communicated with perfect secrecy 
if I(M;X") = 0. Shannon proved the disappointing result 
that perfect secrecy requires a secret key K with entropy 
H(K) > E1[(M). In this setting, Wyner subsequently proposed 
an alternative model for secure communication called a wire- 
tap channel f2\, in which all communications occur over noisy 
channels and the eavesdropper observes a degraded version 
Z" of the signal received by the legitimate receiver Wyner 
introduced the notion of weak secrecy, which requires the 
leaked information rate ^I(M; Z") to vanish as n oo, and 
established the weak secrecy capacity, that is the maximum 
secure communication rate achievable over a wiretap channel 
under this condition. Maurer and Wolf later highlighted the 
shortcomings of weak secrecy for cryptographic purposes, and 
suggested to replace it with the notion of strong secrecy, by 
which the absolute information I(1VI; Z") should vanish as 
n — > oo. Surprisingly, this stronger secrecy requirement does 
not reduce secrecy capacity f3], Q. 

Despite the surge of recent results investigating wiretap 
channels, the design of coding schemes with provable secrecy 
rate has not attracted much attention. Some efforts in coding 
for wiretap channels include ||5|-||9|. 

In this work, we revisit the LDPC -based coset coding 
scheme of ||7| for the binary erasure wiretap channel. We 
first show that the dual of randomly generated LDPC codes 
can achieve strong secrecy provided the probability of block 
error of the LDPC codes decays faster than ^ with the block 
length n in a binary erasure channel. Then, we show that for 
certain small-cycle-free LDPC ensembles, the probability of 
block error under iterative decoding decays as 0{\). We 



obtain this result by analyzing the stopping sets of LDPC 



ensembles. Stopping sets pO) , 1 1 1 1 determine whether iterative 
decoding of LDPC codes under erasures will succeed or not. 
Asymptotic enumeration of stopping sets has been done by 
several authors (see |fT2|-||T5| and references thereof). We 
follow the approach in fT2^, where asymptotics of the average 
block error probability of LDPC codes were derived. 

Ensembles of LDPC codes with better than - average 
block error probability are known from prior studies which 
use expander-based ideas and stopping set expurgation |16|, 



|17|. Expander-based ideas typically require minimum bit 
node degree of five or above resulting in a decrease in 
thresholds. Expurgation of stopping sets is usually more dif- 
ficult to achieve than expurgation of short cycles in random 
constructions. In our approach, we consider ensembles with 
finite girth. Restricting the girth results in 0{^) expected 
block error probability in irregular ensembles with minimum 
girth 4 and minimum bit node degree 3. This enables high 
erasure thresholds and efficient construction methods. 

In this work, the code construction for strong secrecy is 
fundamentally different from Maurer and Wolf's procedure 
to obtain strong secrecy from weak secrecy |3|. Maurer and 
Wolf's method relies on the equivalence of key-generation 
with one-way communication and coding for the wiretap 
channel, while our code construction yields a forward error- 
control scheme directly. Nevertheless, the constraint imposed 
in our code construction limits the achievable secrecy rate. 

The rest of the paper is organized as follows. In Section [ll] 
we briefly review the coset coding scheme for the binary 
erasure wiretap channel and establish the connection between 
strong secrecy and the decay of probability of block error 



with code length. In Section III we show that the probability 
of block error for ensembles without short cycles decays fast 
enough to guarantee strong secrecy. 

II. Secrecy Coding for the Binary Erasure 
Wiretap Channel 

The wiretap channel considered in this work, denoted by 
BEWC(e), is illustrated in Fig. [T] The channel between the 
legitimate parties is noiseless while the eavesdropper's channel 
is a binary erasure channel with erasure probability e (denoted 
BEC(e)). The secrecy capacity of this wiretap channel is Cg = 

The "coset coding" scheme to communicate secretly over 
this channel, proposed in |6|, is the following. Prior to 
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Fig. 1. Binary erasure wiretap channel. 

transmission, Alice and Bob agree on a {n,n — k) code C 
with parity check matrix H. The coset of C with syndrome 
s*^ is denoted by C{s^) = {x" € {0, 1}" : s*^ = H'^x"}. To 
transmit a message M of fc bits, AHce transmits a codeword 
X" chosen uniformly at random in C(M). Bob decodes his 
received codeword X" by forming the syndrome H-'^X". 

The following theorem due to Ozarow and Wyner connects 
the equivocation of the eavesdropper to algebraic properties of 
the generator matrix. 

Theorem Let C be a {n,n— k) code with generator 

matrix G — [gi, . . . , gn], where gi represents the i-th column 
of G. Let z" be an observation of the eavesdropper with fi 
unerased position given by {i : Zi 7^?} = {ii, . . . , i^^}. Let 
= [gii . . -SijJ- Then, H(M|z") — k iff G^^ has full rank. 

Based on Theorem [T] we can now connect the rate of 
convergence of I(M; Z") to the probabihty that a submatrix 
of G has full rank. 

Lemma 1. Let be the submatrix of G corresponding to 
the unerased positions in Z". Let pnf be the probability that 
is not full rank. Then, a coset coding scheme operates with 
strong secrecy if the probability Pnf is such that p^f O(^) 
for some a > 1. 

Proof: We can lower bound I1(M|Z") as 

H(M|Z") > H(M|Z",rank(G'^)) 

> H(M|Z",Gp is full rank)P[G^ is full rank] 

= k{l - Pnf) = k - RsUPnf 

If Pnf = 0{^), then I(M; Z") - fc-H(M|Z") < 0{^), 
which can be made arbitrary small for n sufficiently large and 
a > 1. ■ 

Let C"(A, p) be an LDPC ensemble with n variable nodes, 
left edge degree distributions A(x) = J2i>i ™d right 

node degree distribution p{x) = J2i>iPi^^~^ §3-4] 
with possibly some expurgations. The degree distributions 
X{x),p{x) are from an edge perspective, that is is the 
fraction of edges connected to a variable node of degree i 
and pj is similarly defined. 

Let Pe^\e) denote the probability of block error for codes 
from C"(A, p) over BEC(e) under iterative decoding. An im- 
portant interpretation of Pi"^(e) is the following: for a parity- 
check matrix H with degree distribution (A,p), 1 - Pi"^(e) 
is a lower bound on the probability that erased columns of 
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Fig. 2. Weak and strong secrecy regions using duals of LDPC codes 

H (over a BEC(e)) form a full-rank submatrix. Using this 
interpretation and results from f7l|, we have the following 
immediate corollary of Lemma [T] 

Corollary 1. // there exists e* > such that Pi"^(e) ~ 
(01 > Ij for e < €* , then the dual of a code 
from C"(A, p) used in a coset coding scheme provides strong 
secrecy over a BEWC(e) for e > 1 — e*. 

It is immediately clear that we will have e* < eth, where 
Eth is the erasure threshold for the ensemble over LDPC codes 
|15J. As noted in |7], when e < eth we have weak secrecy. In 
view of this, we will have guaranteed weak and strong secrecy 
regions as illustrated in Fig. [2] by doing "coset coding" using 
duals of LDPC codes. We know that degree distributions can 
be optimized so that 1 — eth is very close to the code rate. 
Since LDPC codes achieve capacity over a BEC, our coding 
scheme will achieve weak secrecy very close to the secrecy 
rate and strong secrecy slightly away from the secrecy rate. In 
the next section, we will show that e* exists for some restricted 
ensembles of LDPC codes. 

III. The LDPC ensemble without short cycles 
In this section, we study the sub-ensemble of Tanner graphs 



1 15 1 whose girth is at least 2k for some integer fc > 2 
which does not change with the block length n. We denote 
the ensemble of all Tanner graphs by G{n, A,p) and the sub- 
ensemble of girth > g graphs by Qg{n, X, p). We associate i 
sockets to each node of degree i. An edge in a Tanner graph 
is an unordered pair containing one bit node socket and one 
check node socket. A Tanner graph with \E\ edges has \E\ 
sockets on each side. Therefore, the size of the ensemble equal 
to the number of permutation of the check node sockets, which 
is First we show that the size of our sub-ensemble is not 
negligible compared to the size of the original ensemble as 
n 00. 

Lemma 2 ( |18, Corollary 4]). Let n,g be even positive 
integers and d > 3 be an integer. As n grows, let {d—Vf'^^^ — 
o{n). Then, the number of (labeled) d-regular bipartite graphs 
on n vertices with girth greater than q is 



{nd/2)\ 



exp 




Note that the number of d-regular bipartite graphs on n 
vertices is {nd / 2)\ / {d\)'^ . The following corollary is then 
immediate. 




Corollary 2. Let g, n be positive even numbers and let d > 3 
be an integer. Let d, g remain constant as n ^ oo. Then, 
the fraction of {d, d) regular bipartite graphs that have girth 
greater than g is 



exp 



as n — > oo. In particular, this fraction is bounded away from 
zero for large n. 

Lemma 3. Let a (A, p) irregular Tanner graph ensemble be 
such that max{deg(A), deg(p)} > 2 and the coefficients of the 
degree distribution polynomials are rational. Let g > be an 
integer that remains constant with block length n. There exists 
an increasing sequence (uk) of positive integers such that the 
fraction of graphs of girth > g in G{nk, A, p) is bounded away 
from zero as k ^ oo. 

Proof Let d be the least common multiple of all the 
vertex degrees in the graph. Clearly, d> 2 and it is a function 
of only A and p. Let a be the smallest positive integer such 
that 



d ' 



where A; is the fraction of variable nodes of degree i and pj 
is the fraction of check nodes of degree j p5] §3.4]. Consider 
the Tanner graph ensemble with = ak variable nodes. 
We can group d/i of the degree i variable nodes to get one 
variable node of degree d. If we do this for all the variable 
node degrees, we will have a left regular Tanner graph with 
left degree d. Similarly, we can repeat this process for the 
check nodes to get a (d, d) regular Tanner graph. Note that in 
this node grouping process, we preserve the number of edges 
since the ensemble allows the possibility of multiple edges. 
The girth of the resultant regular graph is not more than that 
of the original graph. It can also be noted that there is a one- 
one correspondence between the graphs in the (A, p) ensemble 
and those in the (d, d) ensemble. By lemma |2j the fraction of 
graphs with girth > g in the (d, d) ensemble, say p, is non- 
zero if k is large enough. So, the fraction of graphs in the 
(A,p) ensemble with girth > g is at least p. This proves the 
lemma. ■ 

Remark 1. Let X be a graph dependent positive number 
Let EX represent the expectation of X over Q(n,X,p). Let 
be the expectation over Qg(n, X, p) and be the 

expectation over G{n, A, p) \ Gg{n, A, p). We have 

EX = (7„EiX + (1 - qn)E2X 

where Qn = \Gg(n-, A, p)\/\G{n, A, p)\. By lemma^ there exists 
a p > such that for large n, we have q„ > p. Therefore, 

EX > pEiX 

EiX < -EX 
P 

This inequality is used to upper bound EiX when it is easier 
to find an upper bound to EX. 



A. Stopping sets and stopping number 

For the sake of clarity and completeness, we restate some 
of the definitions that were originally stated in fTl]. Given a 
Tanner graph G, let U be any subset of variable nodes in G. 
Let the (check node) neighbours of U be denoted by N{U). 
U is called a stopping set if the degree of all the check nodes 
in the induced subgraph G[U U N{U)] is at least two. The 
stopping number of a Tanner graph is defined as the size of its 
smallest stopping set. For a given Tanner graph, its stopping 
number is denoted by s* and the set of all stopping sets is 
denoted by §. The stopping ratio is defined as the ratio of the 
stopping number to the block length. 

The average stopping set distribution is defined as 

£;(s) =E(|{5 e § : IS*! = s}\) 

where the average is taken over all the Tanner graphs in 
G{n, p, A). For any rational a e [0, 1], it is assumed that there 
exists a sequence (rife) of strictly increasing block lengths such 
that E{ank) > for all Uk- We can then define the normalized 
stopping set distribution as 

7(a) = lim — log E{ank) 

It was shown that 7(0;) is continuous over the set of rationals 
and hence, it can be extended to a continuous function over 
[0, 1]. The critical exponent stopping ratio of a Tanner graph 
ensemble is defined as 

a* = inf{a > : 7(a) > 0} 

B. Block error probability of short-cycle-free ensembles 

In this section, we prove a key result about the average block 
error probability of short-cycle-free LDPC ensembles, which 
is central to our claim that the duals of these codes provide 
strong secrecy. Let P^{C, e) be the probability of block error 
when the code C is transmitted over BEC(e) and iteratively 
decoded. We define |[T2| 



Ccf = sup < e 



max 

Q6[0,e; 



(7(a) + (l-«)Mf5^)-Me)) <0 



where h{x) is the binary entropy function calculated using 
natural logarithms. Note that 7(a), and are calculated over 
the entire ensemble Q{n,X,p) instead of the girth-restricted 
ensemble. Instead of calculating Pj^{C,e) directly, we take 
averages of this quantity over an ensemble of codes and show 
that the average block error probability over the ensemble 
G2k{n, X, p) decays as fast as we want it to for e < Cof- 

Theorem 2. For G2k{n,X, p), with minimum variable node 
degree /min, maximum variable node degree Zmax <^nd maxi- 
mum check node degree r,„ax > 2 we have 

E,{P'^{C,e)) = o( J 

and in the limits of small e and large n 



Ei(Pj3^(C,e)) = 



Proof: Let be the set of variable nodes corresponding 
to the random erasures in the LDPC codeword. The iterative 
decoding fails iff Ve contains a stopping set. So, 

Pi7'(C,e)=P(3S'e§:S'c K) 

For any 5i,52 > 0, we bound P^{C,e) using union bound 
as 

5in — l 

i—k 

+ V{3S e § ; 5 C V;, (5in < \S\ < (e + 52)n) 
+ V{3S e S : 5 C K, (e + ^2)^^ < IS*! < n) 



Using an argument almost identical to the one used in p2| 
Theorem 16], we can show that the expectations of the second 
and the third terms go to zero exponentially as n — > oo if 
e < Eef- Now, 

/<5in-l \ 

Ei(|{5gS: 1^1 =i}|)e' 
< - E E(|{5e§:|5|=*}|)e^ 



5i7l~ 1 

E 

■i—k 
(5in— 1 



p 



i—k 



A stopping set of i variable nodes can have nodes of 
different degrees. Let Si denote the set of all non-negative 
integer solutions to the equation + • • •+*/,„ax = *■ 

We can write 

E(|{5g§: is*! ^i}\)e' 



n \ \ ^ 



^ ( \E\ 



Here, A is the number of ways to connect the selected i vari- 
able nodes to form a stopping set. This number is independent 
of n as long as i is just a small fraction of it. We also note 
that if we increase the degree of all the check nodes in the 
graph, A can only increase. Therefore, we may upper bound A 
by the number of ways to form a stopping set assuming each 
check node has the maximum possible degree, rmax- The latter 
number is equal to cocf (((1 + a:)''""'^ — rmaxa^)™ , by 
elementary combinatorics. We have. 



^< coef (((l + x)'- 



< 



E - 



where the last inequality follows from |12 Lemma 18]. If we 
denote ^ sig by w, we have z/min < w < i^max- So, 

E(|{5e§:|5|=z}|)6^ 



<eM , (2r, 



3)* 



E 
E 



1 



(m+ %^)^^^ 
LfJ!(|£;|-zZ^axr 



If we denote the summand by f{w), we have 

/(2r+l) _ 2r+l ^ 
/(2r) |£|-ii,„ax - 

if we choose 6i small enough. Also, 



- |£;|-<5inimax - 



/(2r+2) _ r, '"+- 2 <- o "'^ 2 
/(2r+l) ~ |£;|-i/„,ax - |B|-(5in/„,ax 

Since r^ax > 2 we have \E\ > 2m. Again, if we choose Si 
small enough, we will have /(2r + 2)//(2r + !)<!. So, 
f{w) is a non-increasing function and w > ilaun- We now 
have 

E{\{SeS■.\S\^^}\)e^ 

<e^C^)(2r,„ax-3)''»^^ 



m + 



iima. 
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Here, rg = m/n and ri = depend only on p and A. If 

i remains a constant as n — > oo, we have 

1 
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Using |±f < 2, i;,ni„ + 2lnun < M^-^in, [a:] + 1 > X, 
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Choosing E (0, 1) such that 
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where B depends only on A and p. 
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If 5i is small enough, then the summation in the above 
equation is bounded by a decreasing geometric sum. So, 

/Sin-l \ 

J2 \{SeS■.\S\=^}\e^]^0 



El 



El {P'JiC,e))=0 




(2) 



as e — > and n 00. ■ 

From the above theorem, the average block error probability 
in our ensemble decays faster than ^ for l^jn > 2 and fc > 3. 
This correpsonds to LDPC ensembles with a minimum bit 
node degree of at least 3 and girth at least 4. By corollary [T] 
the duals of these LDPC codes achieve strong secrecy over a 
BEWC of erasure probability 1 — eof- 

The (3, 6) regular LDPC ensemble has eth = 0.429, 
Eef = 0.366 and rate 1/2. When duals of codes in this 
ensemble are used on BEWC(e), a secret communication rate 
of 0.5 is achieved with weak secrecy when e € (0.571, 0.634) 
and with strong secrecy when e > 0.634. Our numerical 
calculations indicate that some of the degree distributions that 
are optimized for very high eth have e^f < 0.366. 

IV. Conclusion and future directions 

In this work, we have shown that duals of LDPC codes 
with girth greater than 4 and minimum left degree at least 3 
achieve strong secrecy on the binary erasure wiretap channel. 
LDPC ensembles with degree 2 nodes play an important role 



in achieving capacity on the binary erasure channel. Further 
study is required on the relationship between these LDPC 
codes and strong secrecy. Another research possibility involves 
optimizing the degree distributions to find LDPC ensembles 
with a very high ecf for a given rate. 
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